INTERNET-DRAFT Clifford Neuman
draft-ietf-cat-kerberos-pk-init-00.txt Brian Tung
Updates: RFC 1510 ISI
expires September 3, 1995 John Wray
Digital Equipment Corporation
Public Key Cryptography for Initial Authentication in Kerberos
0. Status Of this Memo
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other docu-
ments at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as ``work in pro-
gress.''
To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the Internet-Drafts Sha-
dow Directories on ds.internic.net (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
Rim).
The distribution of this memo is unlimited. It is filed as
draft-ietf-cat-kerberos-pk-init-00.txt, and expires August 6, 1995.
Please send comments to the authors.
1. Abstract
This document defines extensions to the Kerberos protocol specifi-
cation (RFC 1510, "The Kerberos Network Authentication Service
(V5)", September 1993) to provide a method for using public key
cryptography during initial authentication. The method defined
specifies the way in which preauthentication data fields and error
data fields in Kerberos messages are to be used to transport public
key data.
2. Motivation
Public key cryptography provides a means by which a principal may
demonstrate possession of a key, without ever having divulged this
key to anyone else. In conventional cryptography, the encryption key
and decryption key are either identical or can easily be derived from
each other. In public key cryptography, however, neither key can be
derived easily from the other; hence, the ability to encrypt a message
does not imply the ability to decrypt it in turn. Additionally, each
key is a full inverse of the other, so that either key can be used
for encryption or decryption.
The advantages provided by public key cryptography have produced a
demand for its integration into the Kerberos authentication protocol.
There are two important areas where public key cryptography will have
immediate use: in the initial authentication of users registered with
the KDC or using public key certificates from outside authorities,
and to establish inter-realm keys for cross-realm authentication.
This memo describes a method by which the first of these can be done.
The second case will be the topic for a separate proposal.
Some of the ideas on which this proposal is based arose during
discussions over several years between members of the SAAG, the
IETF-CAT working group, and the PSRG, regarding integration of
Kerberos and SPX. Some ideas are drawn from the DASS system, and
similar extensions have been discussed for use in DCE. These changes
are by no means endorsed by these groups. This is an attempt to
revive some of the goals of that group, and the proposal approaches
those goals primarily from the Kerberos perspective.
This proposal will allow users with keys already registered for use
with X.509, PEM, or PGP, to use those keys to obtain Kerberos
credentials which can then be used for authentication with application
servers supporting Kerberos.
Use of public-key will not be a requirement for Kerberos, but if one's
organization runs a KDC supporting public key, then users may choose
to be registered with public keys instead of the current secret key.
The application request and response, between Kerberos clients and
application servers, will continue to be based on conventional
cryptography, and the application servers will continue to be
registered with conventional keys.
3. Initial authentication of users with public keys
This section proposes extensions to Version 5 of the Kerberos
protocol that will support the use of public key cryptography
by users in the initial request for a ticket granting ticket.
The advantage of registering public keys with the KDC lies in the
ease of recovery in case the KDC is compromised. With Kerberos as it
currently stands, compromise of the security KDC is disastrous. All
keys become known by the attacker and all keys must be changed.
If users register public keys, compromise of the KDC does not divulge
their private key. Compromise of security on the KDC is still
disastrous, since the attacker can impersonate any user. An
attacker with the private key of the KDC can use it to certify a
bogus nonce key, and impersonate a user. Changing this key
invalidates all bogus certifications. Legitimate users must
re-certify their keys with the new KDC key, but users' public
keys do not have to be changed. (Users who store their private
keys in an encrypted form on the KDC do have to change their
keys, since the encryption key is a symmetric key derived from
a password (as described below) and hence vulnerable to dictionary
attacks. The difference is that, assuming good password policy,
site policy may allow the use of the old password only for the
purpose of key change for a time after the compromise, which means
that users can change their own passwords, rather than forcing the
administrator to re-key everyone.)
In the event of compromise of the KDC, recovery is simple since only
the KDC's key, keys for application servers, and users' private keys
stored in the KDC (as described above) must be changed.
Since there are usually fewer servers than users, and since an
organization usually has better procedures for updating servers,
changing these keys is much easier than having to individually
contact every user.
This proposed extension will not require users to register with
public keys. It is intended to allow them to do so, but we recognize
that there are many reasons, including licensing terms, that users or
an organization as a whole will choose not to use the public key
option. Users registered will public keys will only be able to
perform initial authentication from a client that support public key,
and must be registered in a realm that supports public key. But they
will be able to use services registered in realms that support only
conventional Kerberos. Further, users registered with conventional
Kerberos keys will be able to use all clients.
This proposal specifically does not address the registration of
public keys for services. The application request and response,
between Kerberos clients and application servers, will continue to be
based on conventional cryptography, and the application servers will
continue to be registered with conventional keys. There are
performance issues and other reasons that servers may be better off
using conventional cryptography. There are also reasons that they
may want to use public key. For this proposal, however, we feel that
80 percent of the benefits of integrating public key with Kerberos
can be attained for 20 percent of the effort, by addressing only
initial authentication. This proposal does not preclude separate
extensions.
This proposal address two ways in which users may use public key
cryptography for initial authentication with Kerberos. In both
cases, the end result is that the user obtains a conventional ticket
granting ticket, or conventional server ticket, that may be used for
subsequent authentication, with such subsequent authentication using
only conventional cryptography.
Users may register keys directly with the KDC, or they may present
certificates by outside certification authorities (or certifications
by other users) attesting to the association of the public key with
the named user. We first consider the case where the user's key is
registered with the KDC.
3.1 Initial request for user registered with public key on KDC
In this scenario it is assumed that the user is registered with a public
key on the KDC. The user's private key may be known to the user, or
may be stored on the KDC, encrypted so that it can not be used by the KDC.
We consider first the case where the user knows the private key, then
add support for retrieving the private key from the KDC.
The initial request to the KDC for a ticket granting ticket proceeds
according to RFC 1510. Typically, preauthentication using a secret
key would not be included, but if included it may be ignored by the
KDC. (This may introduce a problem: even if the KDC should ignore
the preauthentication, an attacker may not, and use an
intercepted message to guess the password off-line.)
If the private key is known to the client in advance, the
response from the KDC would be identical to the response in RFC1510,
except that instead of being encrypted in the secret key shared by the
client and the KDC, it is encrypted in a random key freshly generated
by the KDC. A preauthentication field (specified below)
accompanies the response, containing a certificate with the public
key for the KDC, and a package containing the secret key in which the
rest of the response is encrypted, itself encrypted in the private key
of the KDC, and the public key of the user. This package also contains
the same nonce used in the rest of the response, in order to prevent
replays of this part of the message, accompanied by a reconstructed
response.
PA-PK-AS-REP ::= SEQUENCE {
kdc-cert SEQUENCE OF OCTET STRING,
encryptPack EncryptedData -- EncPaPkAsRepPart
}
EncPaPkAsRepPart ::= SEQUENCE {
enc-sess-key INTEGER,
nonce INTEGER
}
Upon receipt of the response from the KDC, the client will verify the
public key for the KDC from PA-PK-AS-REP preauthentication data field,
The certificate must certify the key as belonging to a principal whose
name can be derived from the realm name. We solicit discussion on the
form of the kdc-cert. If client systems are expected to know (by
being hard-coded, for example) at least one public key, and to verify
certificates from that key, then there should be at least some policy
about which key that is, or alternatively some way to inform the KDC
which key the client possesses.
If the certificate checks
out, the client then extracts the message key for the rest of the
response by decrypting the field in the PA-PK-AS-REP with the public
key of the KDC and the private key of the user. The client then uses
the message key to decrypt the rest of the response, and continues as
per RFC1510[1].
3.1.1. Private key held by KDC
When the user's private key is not carried with the user, the user may
encrypt the private key using conventional cryptography, and register
the encrypted private key with the KDC.
When the user's private key is registered with the KDC, the KDC record
will also indicate whether preauthentication is required before
returning the record (we recommend that it be required). If such
preauthentication is required, when the initial request is received
the KDC will respond with a KRB_ERROR message of type
KDC_ERR_PREAUTH_REQUIRED and with an error data field set to:
PA-PK-AS-INFO ::= SEQUENCE {
kdc-cert OCTET STRING}
}
The kdc-cert field is identical to that in the PA-PK-AS-REP
preauthentication data field returned with the KDC response, and must
be validated as belonging to the KDC in the same manner.
Upon receipt of the KRB_ERROR message with a PA-PK-AS-INFO field, the
client will prompt the user for the password that will be used to
decrypt the private key when returned, calculate a one way hash H1 of the
key, and send a request to the KDC, including a timestamp and a
client-generated nonce secret key that will be used to super-encrypt
the encrypted private key before it is returned to the client. This
information is sent to the KDC in a subsequent AS_REQ message in a
preauthentication data field:
PA-PK-AS-REQ ::= SEQUENCE {
enc-part EncryptedData -- EncPaPkAsReqPart
}
EncPaPkAsReqPart ::= SEQUENCE {
tstamp KerberosTime,
noncekey INTEGER
}
encrypted first with the hash H1, then the public key of the KDC from
the certificate in the PA-PK-AS-INFO field of the error response.
Upon receipt of the authentication request with the PA-PK-AS-REQ the
KDC verifies the hash of the user's DES encryption key by comparing it
to the hash stored in the users database record. If valid, it
generates the AS response as defined in RFC1510, but additionally
includes a preauthentication field of type PA-PK-USER KEY. This
response will also be included in response to the initial request
without preauthentication if preauthentication is not required for the
user and the user's encrypted private key is stored on the KDC. The
KDC generates a preauthentication data field of type PA-PK-USER-KEY
which will be returned with the KDC reply (together with the
PA-PK-AS-REP that is already returned).
PA-PK-USER-KEY ::= SEQUENCE {
enc-priv-key OCTET STRING OPTIONAL
}
This message contains the encrypted private key that has been
registered with the KDC by the user, as encrypted by the user,
super-encrypted with the noncekey from the PA-PK-AS-REQ message if
preauthentication using that method was provided. Note that since
H1 is a one-way hash, it is not possible for one to decrypt the
message if one possesses H1 but not the noncekey that H1 is derived
from.
3.2. Clients with a public key certified by an outside authority
In the case where the client is not registered with the current KDC,
the client is responsible for obtaining the private key on its own.
The client will request initial tickets from the KDC using the TGS
exchange, but instead of performing pre-authentication using a
Kerberos ticket granting ticket, or with the PA-PK-AS-REQ that is used
when the public key is known to the KDC, the client performs
preauthentication using the preauthentication data field of type
PA-PK-AS-EXT-CERT:
PA-PK-AS-EXT-CERT ::= SEQUENCE {
user-cert SEQUENCE OF OCTET STRING,
authent EncryptedData -- PKAuthenticator
}
PKAuthenticator ::= SEQUENCE {
cksum Checksum OPTIONAL,
cusec INTEGER,
ctime KerberosTime,
}
The fields in the encrypted authenticator are the same as those
in the Kerberos authenticator. The structure is itself signed using
the user's private key corresponding to the public key in the
certificate.
The KDC will verify the preauthentication authenticator, and check the
certification path against its own policy of legitimate certifiers.
This may be based on a certification hierarchy, or simply a list of
recognized certifiers in a system like PGP.
If all checks out, the KDC will issue Kerberos credentials, as in 3.1,
but with the names of all the certifiers in the certification path
added to the transited field of the ticket, with a principal name
taken from the certificate (this might be a long path for X.509, or a
string like "John Q. Public <jqpublic@company.com>" if the certificate
was a PGP certificate. The realm will identify the kind of
certificate and the final certifier (e.g. PGP:<endorser@company.com>)[2].
4. Compatibility with One-Time Passcodes
We solicit discussion on how the use of public key crytpgraphy for
intial authentication will interact with the proposed use of one time
passwords discussed in Internet Draft
draft-ietf-cat-kerberos-passwords-00.txt
5. Expiration
This Internet-Draft expires on August 6, 1995.
6. Authors' Addresses
B. Clifford Neuman
USC/Information Sciences Institute
4676 Admiralty Way #1001
Marina del Rey, CA 90292-6695
Phone: 310-822-1511
EMail: bcn@isi.edu
Brian Tung
USC/Information Sciences Institute
4676 Admiralty Way #1001
Marina del Rey, CA 90292-6695
Phone: 310-822-1511
EMail: brian@isi.edu
John Wray
Digital Equipment Corporation
550 King Street, LKG2-2/Z7
Littleton, MA 01460
Phone: 508-486-5210
EMail: wray@tuxedo.enet.dec.com
[1] Note: We have not yet defined the public key encryption method for
encrypting the enc-sess-key field in the PA-PK-AS-REP.
[2] Note: We are soliciting input on the form of the name. We believe the
name part must be taken without modification from the certificate, but the
realm part is open for discussion.